After nearly a decade of ‘it’s nearly here’ the Protection of Personal Information Act’s (PoPIA) arrival is genuinely imminent. Compliance with the Act is viewed as being expensive, intimidating, and confusing – leaving many businesses of all sizes unsure of how to approach the challenge. Small businesses may become daunted by the apparent cost of compliance. The real question is, can any business afford non-compliance?
PoPIA is designed to protect personal information processed by public and private bodies. “Personal Information” is that data which alone, or in combination allows a person to be uniquely identified, and any information that may tell the reader something about someone. The Act came into effect on 1 July 2020, with a 12-month grace period. From 1 July 2021, non-compliance will come with substantial penalties, including: a fine or imprisonment of between R1 million and R10 million or one to 10 years in jail; and financial compensation for damages suffered by data subjects.
In a world that has already been forced to digitise faster than ever before, concentrating on another area of restructuring may appear overwhelming. For this reason, local provider of e-signature solutions in South Africa, Impression Signatures, has embarked on a campaign to demystify PoPIA, making reliable information available to businesses of all sizes, at no cost. This campaign drives compliance by explaining not only why it’s important, but the terms, requirements, and obligations created by the Act too.
POPIA is quite clear, the burden of proof that consent was obtained rests with the ‘responsible party’; the entity or person responsible for gathering the information. This means that it is up to the business to prove that they got consent from the customer, and not the customers responsibility to prove that they gave consent. It is expensive because systems that were not planned or designed with privacy in mind struggle to retrofit changes into legacy models and processes. In some cases, everything needs to be re-engineered.
If the data is retained for any reason it must be safeguarded. This includes securing storage of this data so that unauthorised third parties do not have consent to access this data, and that people within the organisation, who are not part of the legitimate processing of that data do not have access either. These data management activities should also be provable, so a company should be able to prove that customer data is safe.
“Accessibility is key, and many small businesses simply cannot afford expensive lawyers, consultants, or data consulting experts to help them re-engineer their processes. We place a large focus on accessibility. It’s why our software runs on USSD – because we understand that not everyone has a smart phone, and that shouldn’t preclude them from participating in the local (or global) economy,” confirms Carrie Peter, Solution Owner at Impression Signatures.
Peter confirms that, much like the General Data Protection Regulation (GDPR), PoPIA comprises three main principles: who can have access to data; what data can they have access to; and how can they use this data? The Impression PoPIA Campaign seeks to explain the definitions in a more palatable format, while giving businesses confidence in their approach to compliance.
With this information at hand, organisations are empowered to take a risk-based approach to compliance. “Operating in accordance with the Act must be accessible to all. The focus should be on affordable solutions, and reliable guidance that helps businesses embrace a cost-based, business centric approach to applying PoPIA. Businesses must understand their appetite for risk, and the level of data security that each individual contract requires,” concludes Peter.